Proposal

Add new kind of entity called evidence to releases. These entities should contain the raw materials, not links, and should include a strong checksum gathered at the time the release was created to ensure they cannot be tampered with later.

For the first iteration (release 12.4), we will provide:

A snapshot of the release JSON and its SHA256 for the current source code associated with the tag. The content will include details of the release, the associated milestones, the project, and related issue details. Here's is the the release 12.6 JSON:

A link to the external location of the *.exe or installation file of the build/release: (the link itself is not strong enough to be evidence, but can help find it easily during in audit)
"links":[ { "id":3, "name":"hoge", "url":"https://google.com", "external":true }

Future Considerations

In a later phase we will research how we can get the actual checksum of the installation file, image and package.

UX Proposal

Add the evidence JSON and SHA (a record that will identify revisions and to ensure that the data has not changed due to accidental corruption) under the Assets section of a Release - evidence_url

User sees the JSON evidence_url. Clicking on it download the file.

Next to the JSON, a short version of the SHA should be displayed. Clicking on the ellipsis icon next to it expand it to display the full SHA.

A button to copy the SHA to the clipboard should be available. Hovering it displays a tooltip that reads Copy SHA to clipboard. After the user clicks the button, the full SHA should be copied to the clipboard, and the tooltip text should change to Copied.